Re: [PATCH libnfnetlink 1/1] src: Minimally resurrect doxygen documentation

From: Jeremy Sowden <jeremy@azazel.net>
To: Pablo Neira Ayuso <pablo@netfilter.org>, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH libnfnetlink 1/1] src: Minimally resurrect doxygen documentation
Date: Wed, 23 Oct 2019 16:58:28 +0100	[thread overview]
Message-ID: <20191023155827.GA5267@azazel.net> (raw)
In-Reply-To: <20191023151205.GA5848@dimstar.local.net>

[-- Attachment #1: Type: text/plain, Size: 2157 bytes --]

On 2019-10-24, at 02:12:05 +1100, Duncan Roe wrote:
> Just this morning I was going to get back into libnetfilter_queue
> documentation, starting with the other 2 verdict helpers.
>
> But I ran into a conundrum with nfq_nlmsg_verdict_put_mark (the one I
> didn't use). It's a 1-liner (in src/nlmsg.c):
>
> > 56  mnl_attr_put_u32(nlh, NFQA_MARK, htonl(mark));
>
> But examples/nf-queue.c has an example to set the connmark which
> doesn't use nfq_nlmsg_verdict_put_mark()
>
> Instead it has this line:
>
> > 52  mnl_attr_put_u32(nlh, CTA_MARK, htonl(42));
>
> The trouble is, NFQA_MARK *is different from* CTA_MARK. NFQA_MARK is
> 3, while CTA_MARK is 8.
>
> At this point, I felt I did not understand the software well enough to
> be able to document it further. If you could shed some light on this
> apparent disrcepancy, it might restore my self-confidence sufficiently
> that I can continue documenting.

`NFQA_MARK` is used for setting the `nfmark`; `CTA_MARK` is used for
setting the `ctmark`.  Here are the relevant stanzas from the NF
Kconfig:

  config NETFILTER_XT_MARK
    tristate 'nfmark target and match support'
    default m if NETFILTER_ADVANCED=n
    ---help---
    This option adds the "MARK" target and "mark" match.

    Netfilter mark matching allows you to match packets based on the
    "nfmark" value in the packet.
    The target allows you to create rules in the "mangle" table which
    alter the netfilter mark (nfmark) field associated with the packet.

    Prior to routing, the nfmark can influence the routing method and
    can also be used by other subsystems to change their behavior.

  config NETFILTER_XT_CONNMARK
    tristate 'ctmark target and match support'
    depends on NF_CONNTRACK
    depends on NETFILTER_ADVANCED
    select NF_CONNTRACK_MARK
    ---help---
    This option adds the "CONNMARK" target and "connmark" match.

    Netfilter allows you to store a mark value per connection (a.k.a.
    ctmark), similarly to the packet mark (nfmark). Using this target
    and match, you can set and match on this mark.

`nfq_nlmsg_verdict_put_mark` sets an `nfmark` whereas the example is
setting a `ctmark`.

J.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]